Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
0
Helpful
2
Replies

Certificate and SAML auth with AnyConnect

Antonio Macia
Participant
Participant

‎06-05-2020 01:40 AM

Hi,

Is it possible to perform certificate authentication in ASA with AnyConnect together with SAML using Cisco DUO Access Gateway?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP Expert VIP Expert
VIP Expert

‎06-05-2020 01:56 AM

Hi,

Yes that should be possible. With the ASA, under the tunnel-group configuration you can specify "aaa" for the DUO authentication AND "certificate" for the certificate authentication. The ASA will need to trust and validate the certificate presented by the client computer.

 

tunnel-group RAVPN webvpn-attributes
 authentication aaa certificate

HTH

0 Helpful

Antonio Macia
Participant
Participant
In response to Rob Ingram

‎06-05-2020 02:09 AM

Hi,

 

I already tried that but it doesn't work. Notice that selecting any other option different from "SAML" will make ASA to ignore the SAML Server configured below and use only the AAA server defined.

It should work using the DUO's Authentication Proxy as secondary AAA server, since it is a regular RADIUS server, but it has some limitations compared with the Access Gateway.

 

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents